hrbrmstr's Daily Drop

Drop #425 (2024-02-21): Wednesday Grab Bag

hrbrmstr

Phase; llrt; waybackpack

I spun the randomizer on my Raindrop.io tag for the Drop and here’s what came back. There should be something for everyone.

TL;DR

(This is an AI-generated summary of today’s Drop)

  • Phase: An open-source, end-to-end encrypted platform for managing, syncing, and sharing environment variables across development environments, CI pipelines, and cloud services. It offers a CLI for importing, encrypting, and injecting secrets, compatible with various keyring backends, and a console for managing app secrets with features like role-based access control and audit logs. More details can be found at https://phase.dev/ and https://github.com/phasehq/console.
  • LLRT (Low Latency Runtime): An experimental, lightweight JavaScript runtime by AWS, designed for serverless applications, offering significantly faster startup times and lower costs compared to other runtimes on AWS Lambda. It’s built in Rust, using QuickJS as the JavaScript engine, and supports a limited set of Node.js APIs. For more information, visit https://github.com/awslabs/llrt?tab=readme-ov-file.
  • Waybackpack: A command-line tool for downloading the entire Wayback Machine archive for a given URL, allowing users to scrape data from older versions of resources or resources that have disappeared. Installation and usage instructions are available at https://github.com/jsvine/waybackpack.

Phase

Photo by Andrea Piacquadio on Pexels.com

Phase (GH) is an open-source, end-to-end encrypted platform designed to manage, sync, and share environment variables. It’s a tool that’s built to work seamlessly across development environments, CI pipelines, and cloud services. With Phase, we can import and encrypt secrets from existing .env files and securely inject them into any platform or framework at runtime, all without the need for dependencies or code changes. It works as either a cloud-based or self-hosted service.

The Phase CLI is a provides commands for importing, encrypting, and injecting said secrets. It’s compatible with various keyring backends like macOS Keychain, Windows Credential Locker, and even the twist maze of passages that is keyring management on Linux. The Phase Console is the command center for all your app secrets, offering features like role-based access control, audit logs, secrets versioning, and point-in-time recovery.

The setup instructions are very good. They kind of have to be given that encryption and secrets management are involved. The rest of the docs aren’t too shabby as well.

I made a “default” app for testing, and Phase shoved some demo secrets in there.

One one of my arm64 Ubuntu boxes I made a “project” and initialized phase in it:

$ mkdir ptest && cd ptest
$ phase init
? Select an App: Default
✅ Initialization completed successfully.

Then I put this into test.sh and made that script executable:

echo $DJANGO_SECRET_KEY

If you run it without a phase context you’ll get nothing:

./test.sh

Running it in a phase context gets you the seekrit:

$ phase run ./test.sh
wwf*2#86t64!fgh6yav$aoeuo@u2o@fy&*gg76q!&%6x_wbduad

On my Mac, I can see that seekrit in JSON form via:

$ phase secrets get --app=default DJANGO_SECRET_KEY
{
    "key": "DJANGO_SECRET_KEY",
    "value": "wwf*2#86t64!fgh6yav$aoeuo@u2o@fy&*gg76q!&%6x_wbduad",
    "overridden": null,
    "tags": [],
    "comment": "This is an example secret."
}

They’ve made this whole thing pretty straightforward, and being able to self-host it over Tailscale/WireGuard means you can keep all your secrets safe in your own datastore and never have to expose the service to the internet.

llrt

Photo by Digital Buggu on Pexels.com

LLRT (Low Latency Runtime) is an experimental, lightweight JavaScript runtime designed for serverles applications, but it works in any compute context. It’s made by the AWS team, and — according to their benchmarks — offers up to over 10x faster startup and up to 2x overall lower cost compared to other JavaScript runtimes running on AWS Lambda. They built it in Rust, utilizing QuickJS (GH) as JavaScript engine. Be forewarned that llrt only supports a fraction of the Node.js APIs and will never be a replacement for Node. Check out the compatibility matrix to see if it’s worth your time poking at llrt.

They’ve got releases for pretty much anything (I tested it on Apple Silicon and arm64 Ubuntu). Folks on macOS may need to run:

$ sudo /usr/bin/xattr -d com.apple.quarantine llrt

after downloading and unzipping the binary.

Let’s start with a “‘sup, 🌍?” example. (Perhaps, create a throwaway project directory for this section.)

Put the following console.log("'sup, 🌍?"); into, say, hello.mjs and then run:

$ llrt hello.mjs
'sup, 🌍?

We can compile hello.mjs to bytecode, but it’s not worth it for this example.

All of the examples in the repo are tied to the AWS SDK. This makes sense given who made this runtime, but llrt doesn’t require an AWS context. Let’s make a simple example that fetches two data files and finds the intersection of one of the columns in each:

fetch("https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json").
  then(res => res.json()).
  then(kevData => {
    fetch("https://rud.is/data/tags.json").
      then(res => res.json()).
      then(tagsData => {
        const kevCVEs = kevData.vulnerabilities.map(d => d.cveID)
        const tagCVEs = [... new Set(tagsData.metadata.flatMap(d => d.cves))]
        
        console.log(
          tagCVEs.
            filter(d => kevCVEs.includes(d)).
            join("\n")
        )
      }).
      catch(err => console.log(err))
  }).
  catch(err => console.log(err))

I named that file kev.mjs and also compiled it with llrt compile kev.mjs to produce a kev.lrt bytecode file. In theory, you could just ensure llrt and that bytecode file are on the target system instead of shipping around raw JS code. I ran that in a few JS environments, and lrrt “wins”:

      Node 0.17s user 0.03s system 40% cpu 0.488 total
       Bun 0.05s user 0.05s system 18% cpu 0.517 total
      Deno 0.05s user 0.03s system 15% cpu 0.529 total
llrt (mjs) 0.04s user 0.03s system  9% cpu 0.736 total
llrt (lrt) 0.03s user 0.02s system  7% cpu 0.671 total

You can get all fancy and use a bunch of local Node modules, then bundle things with esbuild (et al.), but we’ll save that for antoher Drop.

Now, as we just saw, we already have Bun as an alternate JS runner. It’s recognized for its speed (it did beat Node) and efficiency, particularly in starting up and scaling dynamically. And, we also already have Deno, which emphasizes security and modern features, including better support for TypeScript and web standards. Do we need llrt?

Well, llrt is primarily designed to mesh well with the ephemeral nature of serverless platforms. One reason why it starts faster and runs more efficiently is that it doesn’t bother with just-in-time (JIT) compilation. That also reduces complexity.

I think this is a super neat project and will be keeping an eye on it, especially sicne QuickJS just keeps getting better all the time.

waybackpack

Photo by Pixabay on Pexels.com

This is a quick one.

Waybackpack is a “command-line tool that lets you download the entire Wayback Machine archive for a given URL.” It, pretty much, does one thing, and does it well.

Get it via:

$ python3 -m pip install waybackpack

List available versions:

$ waybackpack --list https://rud.is/ | tail -3
https://web.archive.org/web/20240214161938/https://rud.is/
https://web.archive.org/web/20240214161939/https://rud.is/
https://web.archive.org/web/20240214161939/https://rud.is/

Get’em…

$ waybackpack https://rud.is/ -d . --from-date 2024-02-21 --raw

INFO:waybackpack.pack: Fetching https://rud.is/ @ 20240101215435
INFO:waybackpack.pack: Writing to ./20240101215435/rud.is/index.html

INFO:waybackpack.pack: Fetching https://rud.is/ @ 20240124203416
INFO:waybackpack.pack: Writing to ./20240124203416/rud.is/index.html

INFO:waybackpack.pack: Fetching https://rud.is/ @ 20240214161938
INFO:waybackpack.pack: Writing to ./20240214161938/rud.is/index.html

INFO:waybackpack.pack: Fetching https://rud.is/ @ 20240214161939
INFO:waybackpack.pack: Writing to ./20240214161939/rud.is/index.html

INFO:waybackpack.pack: Fetching https://rud.is/ @ 20240214161939
INFO:waybackpack.pack: Writing to ./20240214161939/rud.is/index.html

If you want a complete mirror, you’ll need to fetch them individually.

This is a great way to scrape data from older versions of resources or resources that went missing.

FIN

Remember, you can follow and interact with the full text of The Daily Drop’s free posts on Mastodon via @dailydrop.hrbrmstr.dev@dailydrop.hrbrmstr.dev ☮️

, ,

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.